Need help with Malware Problem: Virtumonde

**rudyum1** · 2007-11-23, 03:53

SAS Report

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/22/2007 at 11:04 PM

Application Version : 3.9.1008

Core Rules Database Version : 3348
Trace Rules Database Version: 1349

Scan type : Complete Scan
Total Scan Time : 00:53:16

Memory items scanned : 447
Memory threats detected : 0
Registry items scanned : 5525
Registry threats detected : 100
File items scanned : 39609
File threats detected : 231

Adware.AdSponsor/ISM
HKLM\Software\Classes\CLSID\{1ED6A320-8AF3-4f06-868A-9BA95585712E}
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}#AppID
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\Implemented Categories
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\InprocServer32
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\InprocServer32#ThreadingModel
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\ProgID
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\TypeLib
HKCR\CLSID\{1ED6A320-8AF3-4F06-868A-9BA95585712E}\VersionIndependentProgID
C:\PROGRAM FILES\ISM\BNDDRIVE7.DLL
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{1ED6A320-8AF3-4f06-868A-9BA95585712E}
HKU\.DEFAULT\Software\BndDrive
HKU\S-1-5-18\Software\BndDrive
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071122-131605-705.DLL
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\ISM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM2\ISMPACK6.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM2\ISMPACK7.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0222798.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP343\A0240684.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241059.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP366\A0246572.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP366\A0246574.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP372\A0246963.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0246983.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0246995.EXE

Adware.180solutions/ZangoSearch
C:\Program Files\Zango Programs

Malware.SpyLocked
HKCR\TypeLib\{04B12611-E1E1-45E3-9376-91984B957880}
HKCR\TypeLib\{04B12611-E1E1-45E3-9376-91984B957880}\1.0
HKCR\TypeLib\{04B12611-E1E1-45E3-9376-91984B957880}\1.0\0
HKCR\TypeLib\{04B12611-E1E1-45E3-9376-91984B957880}\1.0\0\win32
HKCR\TypeLib\{04B12611-E1E1-45E3-9376-91984B957880}\1.0\FLAGS
HKCR\TypeLib\{04B12611-E1E1-45E3-9376-91984B957880}\1.0\HELPDIR
HKCR\Interface\{212DF34E-EAD7-4831-89D8-70CB70581D82}
HKCR\Interface\{212DF34E-EAD7-4831-89D8-70CB70581D82}\ProxyStubClsid
HKCR\Interface\{212DF34E-EAD7-4831-89D8-70CB70581D82}\ProxyStubClsid32
HKCR\Interface\{212DF34E-EAD7-4831-89D8-70CB70581D82}\TypeLib
HKCR\Interface\{212DF34E-EAD7-4831-89D8-70CB70581D82}\TypeLib#Version
HKCR\Interface\{69F0456D-B449-4FAC-AF03-B0FBB4B39C53}
HKCR\Interface\{69F0456D-B449-4FAC-AF03-B0FBB4B39C53}\ProxyStubClsid
HKCR\Interface\{69F0456D-B449-4FAC-AF03-B0FBB4B39C53}\ProxyStubClsid32
HKCR\Interface\{69F0456D-B449-4FAC-AF03-B0FBB4B39C53}\TypeLib
HKCR\Interface\{69F0456D-B449-4FAC-AF03-B0FBB4B39C53}\TypeLib#Version
HKCR\Interface\{7A3BABC0-3D33-4B9D-B11E-EF36E1BFFFBF}
HKCR\Interface\{7A3BABC0-3D33-4B9D-B11E-EF36E1BFFFBF}\ProxyStubClsid
HKCR\Interface\{7A3BABC0-3D33-4B9D-B11E-EF36E1BFFFBF}\ProxyStubClsid32
HKCR\Interface\{7A3BABC0-3D33-4B9D-B11E-EF36E1BFFFBF}\TypeLib
HKCR\Interface\{7A3BABC0-3D33-4B9D-B11E-EF36E1BFFFBF}\TypeLib#Version
HKCR\Interface\{8F71D7E5-202B-4B8D-94EB-2B30E4212C18}
HKCR\Interface\{8F71D7E5-202B-4B8D-94EB-2B30E4212C18}\ProxyStubClsid
HKCR\Interface\{8F71D7E5-202B-4B8D-94EB-2B30E4212C18}\ProxyStubClsid32
HKCR\Interface\{8F71D7E5-202B-4B8D-94EB-2B30E4212C18}\TypeLib
HKCR\Interface\{8F71D7E5-202B-4B8D-94EB-2B30E4212C18}\TypeLib#Version
HKCR\Interface\{8FF07C20-5965-476E-84E8-82374C559BE7}
HKCR\Interface\{8FF07C20-5965-476E-84E8-82374C559BE7}\ProxyStubClsid
HKCR\Interface\{8FF07C20-5965-476E-84E8-82374C559BE7}\ProxyStubClsid32
HKCR\Interface\{8FF07C20-5965-476E-84E8-82374C559BE7}\TypeLib
HKCR\Interface\{8FF07C20-5965-476E-84E8-82374C559BE7}\TypeLib#Version
HKCR\Interface\{9ADA0950-D83C-4C52-83AE-D8258A4B527E}
HKCR\Interface\{9ADA0950-D83C-4C52-83AE-D8258A4B527E}\ProxyStubClsid
HKCR\Interface\{9ADA0950-D83C-4C52-83AE-D8258A4B527E}\ProxyStubClsid32
HKCR\Interface\{9ADA0950-D83C-4C52-83AE-D8258A4B527E}\TypeLib
HKCR\Interface\{9ADA0950-D83C-4C52-83AE-D8258A4B527E}\TypeLib#Version
HKCR\Interface\{A829592E-08BA-4D4D-87C8-6524687D90E6}
HKCR\Interface\{A829592E-08BA-4D4D-87C8-6524687D90E6}\ProxyStubClsid
HKCR\Interface\{A829592E-08BA-4D4D-87C8-6524687D90E6}\ProxyStubClsid32
HKCR\Interface\{A829592E-08BA-4D4D-87C8-6524687D90E6}\TypeLib
HKCR\Interface\{A829592E-08BA-4D4D-87C8-6524687D90E6}\TypeLib#Version
HKCR\Interface\{AC66E7A3-928B-4F20-B7AC-B3A86298005C}
HKCR\Interface\{AC66E7A3-928B-4F20-B7AC-B3A86298005C}\ProxyStubClsid
HKCR\Interface\{AC66E7A3-928B-4F20-B7AC-B3A86298005C}\ProxyStubClsid32
HKCR\Interface\{AC66E7A3-928B-4F20-B7AC-B3A86298005C}\TypeLib
HKCR\Interface\{AC66E7A3-928B-4F20-B7AC-B3A86298005C}\TypeLib#Version
HKCR\Interface\{B14649A3-BD2E-4483-B8D6-BF80F82F5D24}
HKCR\Interface\{B14649A3-BD2E-4483-B8D6-BF80F82F5D24}\ProxyStubClsid
HKCR\Interface\{B14649A3-BD2E-4483-B8D6-BF80F82F5D24}\ProxyStubClsid32
HKCR\Interface\{B14649A3-BD2E-4483-B8D6-BF80F82F5D24}\TypeLib
HKCR\Interface\{B14649A3-BD2E-4483-B8D6-BF80F82F5D24}\TypeLib#Version
HKCR\Interface\{B87C48D1-28E3-48FC-9B27-EEDBB7619A17}
HKCR\Interface\{B87C48D1-28E3-48FC-9B27-EEDBB7619A17}\ProxyStubClsid
HKCR\Interface\{B87C48D1-28E3-48FC-9B27-EEDBB7619A17}\ProxyStubClsid32
HKCR\Interface\{B87C48D1-28E3-48FC-9B27-EEDBB7619A17}\TypeLib
HKCR\Interface\{B87C48D1-28E3-48FC-9B27-EEDBB7619A17}\TypeLib#Version
HKCR\Interface\{CA091197-32FE-48D8-8696-AF64D8A1CA44}
HKCR\Interface\{CA091197-32FE-48D8-8696-AF64D8A1CA44}\ProxyStubClsid
HKCR\Interface\{CA091197-32FE-48D8-8696-AF64D8A1CA44}\ProxyStubClsid32
HKCR\Interface\{CA091197-32FE-48D8-8696-AF64D8A1CA44}\TypeLib
HKCR\Interface\{CA091197-32FE-48D8-8696-AF64D8A1CA44}\TypeLib#Version
HKCR\Interface\{CF4DDC95-8A4B-47C1-A89E-0CBF849DE042}
HKCR\Interface\{CF4DDC95-8A4B-47C1-A89E-0CBF849DE042}\ProxyStubClsid
HKCR\Interface\{CF4DDC95-8A4B-47C1-A89E-0CBF849DE042}\ProxyStubClsid32
HKCR\Interface\{CF4DDC95-8A4B-47C1-A89E-0CBF849DE042}\TypeLib
HKCR\Interface\{CF4DDC95-8A4B-47C1-A89E-0CBF849DE042}\TypeLib#Version
HKCR\Interface\{D74998BF-0AB6-4C8D-801D-EB50CB73FFDF}
HKCR\Interface\{D74998BF-0AB6-4C8D-801D-EB50CB73FFDF}\ProxyStubClsid
HKCR\Interface\{D74998BF-0AB6-4C8D-801D-EB50CB73FFDF}\ProxyStubClsid32
HKCR\Interface\{D74998BF-0AB6-4C8D-801D-EB50CB73FFDF}\TypeLib
HKCR\Interface\{D74998BF-0AB6-4C8D-801D-EB50CB73FFDF}\TypeLib#Version
HKCR\Interface\{E849D321-F077-4946-94EF-696F864F0BE5}
HKCR\Interface\{E849D321-F077-4946-94EF-696F864F0BE5}\ProxyStubClsid
HKCR\Interface\{E849D321-F077-4946-94EF-696F864F0BE5}\ProxyStubClsid32
HKCR\Interface\{E849D321-F077-4946-94EF-696F864F0BE5}\TypeLib
HKCR\Interface\{E849D321-F077-4946-94EF-696F864F0BE5}\TypeLib#Version
HKCR\Interface\{EA5973F9-1064-4393-838F-1B44CB09A1DE}
HKCR\Interface\{EA5973F9-1064-4393-838F-1B44CB09A1DE}\ProxyStubClsid
HKCR\Interface\{EA5973F9-1064-4393-838F-1B44CB09A1DE}\ProxyStubClsid32
HKCR\Interface\{EA5973F9-1064-4393-838F-1B44CB09A1DE}\TypeLib
HKCR\Interface\{EA5973F9-1064-4393-838F-1B44CB09A1DE}\TypeLib#Version
HKCR\Interface\{F0091942-BEF6-447E-8F73-B844A4F62851}
HKCR\Interface\{F0091942-BEF6-447E-8F73-B844A4F62851}\ProxyStubClsid
HKCR\Interface\{F0091942-BEF6-447E-8F73-B844A4F62851}\ProxyStubClsid32
HKCR\Interface\{F0091942-BEF6-447E-8F73-B844A4F62851}\TypeLib
HKCR\Interface\{F0091942-BEF6-447E-8F73-B844A4F62851}\TypeLib#Version

Adware.Tracking Cookie
C:\Documents and Settings\Guest\Cookies\guest@adopt.specificclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@anad.tacoda[1].txt
C:\Documents and Settings\Guest\Cookies\guest@crazyxxx3dworld[1].txt
C:\Documents and Settings\Guest\Cookies\guest@interclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@richmedia.yahoo[1].txt
C:\Documents and Settings\Guest\Cookies\guest@sex4000[1].txt
C:\Documents and Settings\Guest\Cookies\guest@updates.liquiddigitalmedia[2].txt
C:\Documents and Settings\Jen\Cookies\jen@a.websponsors[1].txt
C:\Documents and Settings\Jen\Cookies\jen@ad.outerinfo[2].txt
C:\Documents and Settings\Jen\Cookies\jen@ad.yieldmanager[1].txt
C:\Documents and Settings\Jen\Cookies\jen@adopt.specificclick[2].txt
C:\Documents and Settings\Jen\Cookies\jen@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Jen\Cookies\jen@ads.cnn[1].txt
C:\Documents and Settings\Jen\Cookies\jen@ads.glispa[1].txt
C:\Documents and Settings\Jen\Cookies\jen@ads.k8l[1].txt
C:\Documents and Settings\Jen\Cookies\jen@ads.monster[1].txt
C:\Documents and Settings\Jen\Cookies\jen@ads.realtechnetwork[1].txt
C:\Documents and Settings\Jen\Cookies\jen@ads.sheknows[1].txt
C:\Documents and Settings\Jen\Cookies\jen@ads2.k8l[1].txt
C:\Documents and Settings\Jen\Cookies\jen@adsby.zwoops[1].txt
C:\Documents and Settings\Jen\Cookies\jen@adv.webmd[1].txt
C:\Documents and Settings\Jen\Cookies\jen@advertising[2].txt
C:\Documents and Settings\Jen\Cookies\jen@affiliates.ticketsnow[2].txt
C:\Documents and Settings\Jen\Cookies\jen@ath.belnk[1].txt
C:\Documents and Settings\Jen\Cookies\jen@atwola[1].txt
C:\Documents and Settings\Jen\Cookies\jen@banners.searchingbooth[1].txt
C:\Documents and Settings\Jen\Cookies\jen@belnk[1].txt
C:\Documents and Settings\Jen\Cookies\jen@burstnet[1].txt
C:\Documents and Settings\Jen\Cookies\jen@candlefind.advertserve[1].txt
C:\Documents and Settings\Jen\Cookies\jen@da-tracking[2].txt
C:\Documents and Settings\Jen\Cookies\jen@doubleclick[2].txt
C:\Documents and Settings\Jen\Cookies\jen@eas.apm.emediate[2].txt
C:\Documents and Settings\Jen\Cookies\jen@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Jen\Cookies\jen@ehg-wachovia.hitbox[2].txt
C:\Documents and Settings\Jen\Cookies\jen@entrepreneur[1].txt
C:\Documents and Settings\Jen\Cookies\jen@exitexchange[2].txt
C:\Documents and Settings\Jen\Cookies\jen@eyewonder[1].txt
C:\Documents and Settings\Jen\Cookies\jen@ez-tracks[2].txt
C:\Documents and Settings\Jen\Cookies\jen@fastclick[2].txt
C:\Documents and Settings\Jen\Cookies\jen@findwhat[1].txt
C:\Documents and Settings\Jen\Cookies\jen@h.starware[1].txt
C:\Documents and Settings\Jen\Cookies\jen@i.screensavers[2].txt
C:\Documents and Settings\Jen\Cookies\jen@icc.intellisrv[2].txt
C:\Documents and Settings\Jen\Cookies\jen@kanoodle[1].txt
C:\Documents and Settings\Jen\Cookies\jen@login.tracking101[1].txt
C:\Documents and Settings\Jen\Cookies\jen@lynxtrack[1].txt
C:\Documents and Settings\Jen\Cookies\jen@mediaonenetwork[1].txt
C:\Documents and Settings\Jen\Cookies\jen@mediatraffic[2].txt
C:\Documents and Settings\Jen\Cookies\jen@nextag[1].txt
C:\Documents and Settings\Jen\Cookies\jen@partner2profit[1].txt
C:\Documents and Settings\Jen\Cookies\jen@pro-market[2].txt
C:\Documents and Settings\Jen\Cookies\jen@pt.crossmediaservices[1].txt
C:\Documents and Settings\Jen\Cookies\jen@publishers.clickbooth[1].txt
C:\Documents and Settings\Jen\Cookies\jen@qnsr[1].txt
C:\Documents and Settings\Jen\Cookies\jen@questionmarket[1].txt
C:\Documents and Settings\Jen\Cookies\jen@regalinteractive[1].txt
C:\Documents and Settings\Jen\Cookies\jen@screensavers[2].txt
C:\Documents and Settings\Jen\Cookies\jen@sexiluv[1].txt
C:\Documents and Settings\Jen\Cookies\jen@sitestat.mayoclinic[2].txt
C:\Documents and Settings\Jen\Cookies\jen@smileycentral[1].txt
C:\Documents and Settings\Jen\Cookies\jen@ticketsnow[1].txt
C:\Documents and Settings\Jen\Cookies\jen@toplist[1].txt
C:\Documents and Settings\Jen\Cookies\jen@toseeka[2].txt
C:\Documents and Settings\Jen\Cookies\jen@track[2].txt
C:\Documents and Settings\Jen\Cookies\jen@trafficmp[1].txt
C:\Documents and Settings\Jen\Cookies\jen@try.screensavers[1].txt
C:\Documents and Settings\Jen\Cookies\jen@updates.liquiddigitalmedia[2].txt
C:\Documents and Settings\Jen\Cookies\jen@www.adtrak[1].txt
C:\Documents and Settings\Jen\Cookies\jen@www.burstbeacon[2].txt
C:\Documents and Settings\Jen\Cookies\jen@www.ez-tracks[2].txt
C:\Documents and Settings\Jen\Cookies\jen@www.screensavers[2].txt
C:\Documents and Settings\Jen\Cookies\jen@www.ticketsnow2[2].txt
C:\Documents and Settings\Jen\Cookies\jen@www.ticketsnow[1].txt
C:\Documents and Settings\Jen\Cookies\jen@yadro[2].txt
C:\Documents and Settings\Jen\Cookies\jen@yieldmanager[2].txt
C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
C:\Documents and Settings\Mom and Dad\Cookies\mom_and_dad@ad.outerinfoads[2].txt

**rudyum1** · 2007-11-23, 03:53

SAS Continued.............

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\MOM AND DAD\FAVORITES\ONLINE SECURITY TEST.URL

Trojan.Downloader-Gen/QDRModule
C:\PROGRAM FILES\QDRMODULE\QDRMODULE9.EXE

Adware.Vundo-Variant/Small-A
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071122-131605-363.DLL
C:\WINDOWS\SYSTEM32\MXBHUBGD.DLL
C:\WINDOWS\SYSTEM32\WXBTUANX.DLL
C:\WINDOWS\SYSTEM32\XPYWLFUE.DLL

Adware.Vundo-Variant
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071122-131605-378.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0241126.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP366\A0246717.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0246808.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP372\A0246965.DLL
C:\WINDOWS\SYSTEM32\KPFXENFO.DLL
C:\WINDOWS\SYSTEM32\RXQNBKSA.DLL

Trojan.Downloader-Gen/Burre
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071122-131605-807.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP372\A0246964.DLL

Trojan.Net-Wintouch/V2
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\MOM AND DAD\APPLICATION DATA\WINTOUCH\WINTOUCH.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0241113.EXE

Adware.ClickSpring
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\MOM AND DAD\MY DOCUMENTS\CROSOF~1\LOGONUI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\ICROSO~1.NET\NOPDB.EXE.VIR
C:\qoobox\Quarantine\C\Program Files\WNSXS~1\WACLTE~1.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MQYA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NLJM.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0220466.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0222885.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0222907.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0230155.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0230181.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP323\A0230227.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP323\A0230273.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP324\A0230298.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP325\A0230392.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0230477.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0230600.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0230658.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0232946.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0232951.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0233996.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0233997.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0234097.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0234108.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0234132.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0234133.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0234159.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0234243.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0234290.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0235341.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0235420.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0235475.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP334\A0235542.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP335\A0235595.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP335\A0235605.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336\A0235755.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241054.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241055.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0241106.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0245298.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0245299.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP366\A0246579.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP366\A0246582.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP372\A0246925.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0247001.EXE

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\HAMMER.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342\A0240249.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP344\A0241022.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP344\A0241024.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP344\A0241030.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0241122.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0241272.DLL

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWS MEDIA PLAYER\HOKENOWA4444.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWS MEDIA PLAYER\HOKENOWA83122.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241056.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241057.DLL

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\B104.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\Q21\ADED83122.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSINTSV.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\TTC-4444.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0220469.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP317\A0221575.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP317\A0221614.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0222817.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0222888.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0222910.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0230158.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP323\A0230230.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP325\A0230395.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0230480.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0230603.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0230661.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0232949.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0234000.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0234101.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0234136.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0234162.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0234246.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0234293.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0235344.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0235423.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0235478.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP334\A0235546.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP335\A0235598.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336\A0235750.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0240061.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241047.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241048.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0241120.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0241125.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0245302.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP366\A0246585.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0246978.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0246979.EXE
C:\WINDOWS\QWRTAW4\KQLQUQB.VBS

Trojan.Downloader-Gen/Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\B122.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP362\A0244256.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP366\A0246710.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0246980.EXE

Trojan.Agent-Deinstall
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\F1\BWER12DRVR.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0241119.EXE

Adware.eZula
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LVYMHBRN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SFQETQUN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VBIMFKOQ.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241051.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241052.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241053.EXE

Adware.WebBuying Assistant/Resident
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WLPJFLJ.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0241058.DLL

Trojan.Downloader-Gen/RETADPU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0220416.EXE
C:\WINDOWS\RETADPU72.EXE.TMP

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0220479.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0222884.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0222906.DLL

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP339\A0236934.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0240062.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0240063.EXE

Trojan.Downloader-Gen/TStamp
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP343\A0240731.EXE

Adware.Adservs
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0241204.EXE

Trojan.Downloader-Gen/WinAble-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP362\A0244257.EXE

Adware.Vundo-Variant/Small
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0246884.DLL

Trojan.Downloader-FakeRX
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP372\A0246898.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

Trojan.Downloader-Gen/DDC
C:\WINDOWS\SYSTEM32\XKIIJIYF.EXE

**ken545** · 2007-11-23, 12:36

Good Morning,

Your HJT log looks great

Although you never posted the Combofix log, you posted your HJT log twice.

Ken

**rudyum1** · 2007-11-23, 16:33

oops, sorry about that, here is the combo fix log.

ComboFix 07-11-19.3 - Admin 2007-11-22 21:55:35.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.209 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-22 13:20 <DIR> d-------- C:\VundoFix Backups
2007-11-21 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 17:07 118 --a------ C:\WINDOWS\system32\MRT.INI
2007-11-21 15:21 80,960 --a------ C:\WINDOWS\system32\mxbhubgd.dll
2007-11-21 14:59 <DIR> d-------- C:\Program Files\CCleaner
2007-11-21 14:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-21 14:27 80,960 --a------ C:\WINDOWS\system32\xpywlfue.dll
2007-11-21 14:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-21 13:21 80,960 --a------ C:\WINDOWS\system32\wxbtuanx.dll
2007-11-09 08:30 583,921 ---hs---- C:\WINDOWS\system32\lwgipqfa.ini
2007-11-09 08:30 88,128 --a------ C:\WINDOWS\system32\afqpigwl.dll
2007-11-09 08:28 77,888 --a------ C:\WINDOWS\system32\kpfxenfo.dll
2007-11-09 08:24 71,232 --a------ C:\WINDOWS\system32\xkiijiyf.exe
2007-11-09 08:22 <DIR> d-------- C:\Program Files\QdrModule
2007-11-09 08:22 441,950 ---hs---- C:\WINDOWS\system32\lnmoq.bak2
2007-11-09 08:22 145,984 --a------ C:\WINDOWS\system32\rxqnbksa.dll
2007-11-08 10:50 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-24 20:57 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-24 20:19 6,465 ---hs---- C:\WINDOWS\system32\lnmoq.bak1
2007-10-24 20:18 437,315 ---hs---- C:\WINDOWS\system32\lnmoq.ini
2007-10-24 20:16 92 --a------ C:\WINDOWS\system32\sznf.ascii
2007-10-24 20:15 14 --a------ C:\WINDOWS\system32\din.ip
2007-10-24 20:15 4 --a------ C:\WINDOWS\system32\navwanvd.ini
2007-10-24 20:15 2 --a------ C:\WINDOWS\system32\lt.res
2007-10-24 20:13 12,217 --a------ C:\WINDOWS\system32\winlogon.scr
2007-10-24 20:13 12,217 ---hs---- C:\Documents and Settings\Mom and Dad\winmain.exe
2007-10-24 20:13 3,739 --a------ C:\WINDOWS\system32\sft.res

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 20:24 --------- d-----w C:\Program Files\SpywareGuard
2007-11-21 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-21 20:06 --------- d-----w C:\Program Files\Dell
2007-11-21 20:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 20:05 --------- d-----w C:\Program Files\CyberLink
2007-11-08 15:54 --------- d-----w C:\Documents and Settings\Admin\Application Data\Lavasoft
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-17 19:04 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-10-17 19:03 --------- d-----w C:\Program Files\Sonic
2007-10-17 19:02 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-10-17 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-17 18:06 --------- d-----w C:\Program Files\Google
2007-10-17 17:54 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-17 17:24 --------- d-----w C:\Program Files\Java
2007-10-17 17:23 --------- d-----w C:\Program Files\Common Files\Java
2007-10-16 04:43 --------- d-----w C:\Program Files\Trend Micro
2007-10-15 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-15 23:22 --------- d-----w C:\Program Files\Yahoo!
2007-10-15 23:22 --------- d-----w C:\Program Files\Common Files\Scanner
2007-09-27 11:03 --------- d-----w C:\Documents and Settings\Jen\Application Data\Viewpoint
2007-09-23 18:18 --------- d-----w C:\Documents and Settings\Mom and Dad\Application Data\Walgreens
2007-08-17 00:39 61,648 ----a-w C:\Documents and Settings\Mom and Dad\Application Data\GDIPFONTCACHEV1.DAT
2007-03-16 16:42 53,848 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2006-09-09 00:55 0 ---ha-w C:\Documents and Settings\Jen\hpothb07.dat
2006-08-20 23:26 0 ---ha-w C:\Documents and Settings\Mom and Dad\hpothb07.dat
2006-01-18 01:37 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-12-27 16:21 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2005-12-27 15:03 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-12-27 15:03 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-12-27 15:02 0 ---ha-w C:\Documents and Settings\Guest\hpothb07.dat
2005-12-27 15:02 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2001-11-19 17:14 61,440 ----a-w C:\WINDOWS\inf\i386\gl.dll
2001-10-29 19:30 245,760 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-17 22:43 32,768 ----a-w C:\WINDOWS\inf\i386\Wiamicro.dll
2005-07-29 20:24 472 --sha-r C:\WINDOWS\QWRtaW4\kqlQuqb.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 17:22]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 16:35]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 21:10]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-20 23:48]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 04:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 14:19]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 09:14]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 16:23]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 14:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 16:15]
"PrintServer Diagnostic"="C:\Program Files\Print Server\PTP\PSDiagnostic.exe" [2004-11-24 17:09]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-04-16 07:12]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-02 10:19]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 17:22]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 12:44]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-20 23:41:47]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
C:\WINDOWS\system32\NavLogon.dll 2004-12-30 14:19 55104 C:\WINDOWS\system32\NavLogon.dll

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys

.
Contents of the 'Scheduled Tasks' folder
"2006-06-01 13:10:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY38L133BDK5.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7700#MY38L133BDK5
"2007-11-22 18:09:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2007-11-23 02:48:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 21:58:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-22 21:59:35
C:\ComboFix2.txt ... 2007-11-22 13:37
.
--- E O F ---

**ken545** · 2007-11-23, 16:50

You did not run the CFscript for Combofix or did not run it correctly as all the bad files where not removed. These are all part of Vundo and need to go.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad

File::
C:\WINDOWS\system32\mxbhubgd.dll
C:\WINDOWS\system32\xpywlfue.dll
C:\WINDOWS\system32\wxbtuanx.dll
C:\WINDOWS\system32\lwgipqfa.ini
C:\WINDOWS\system32\afqpigwl.dll
C:\WINDOWS\system32\kpfxenfo.dll
C:\WINDOWS\system32\xkiijiyf.exe
C:\WINDOWS\system32\lnmoq.bak2
C:\WINDOWS\system32\lnmoq.bak1
C:\WINDOWS\system32\lnmoq.ini
C:\WINDOWS\system32\rxqnbksa.dll
C:\WINDOWS\system32\navwanvd.ini

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**rudyum1** · 2007-11-23, 19:29

sorry Im not sure what happened.

Hope this is better.

ComboFix 07-11-19.3 - Admin 2007-11-23 15:10:19.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.168 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-22 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-22 22:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-22 22:07 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2007-11-22 22:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 13:20 <DIR> d-------- C:\VundoFix Backups
2007-11-21 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 17:07 118 --a------ C:\WINDOWS\system32\MRT.INI
2007-11-21 14:59 <DIR> d-------- C:\Program Files\CCleaner
2007-11-21 14:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-21 14:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-09 08:30 583,921 ---hs---- C:\WINDOWS\system32\lwgipqfa.ini
2007-11-09 08:30 88,128 --a------ C:\WINDOWS\system32\afqpigwl.dll
2007-11-09 08:22 <DIR> d-------- C:\Program Files\QdrModule
2007-11-09 08:22 441,950 ---hs---- C:\WINDOWS\system32\lnmoq.bak2
2007-11-08 10:50 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-24 20:57 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-24 20:19 6,465 ---hs---- C:\WINDOWS\system32\lnmoq.bak1
2007-10-24 20:18 437,315 ---hs---- C:\WINDOWS\system32\lnmoq.ini
2007-10-24 20:16 92 --a------ C:\WINDOWS\system32\sznf.ascii
2007-10-24 20:15 14 --a------ C:\WINDOWS\system32\din.ip
2007-10-24 20:15 4 --a------ C:\WINDOWS\system32\navwanvd.ini
2007-10-24 20:15 2 --a------ C:\WINDOWS\system32\lt.res
2007-10-24 20:13 12,217 --a------ C:\WINDOWS\system32\winlogon.scr
2007-10-24 20:13 12,217 ---hs---- C:\Documents and Settings\Mom and Dad\winmain.exe
2007-10-24 20:13 3,739 --a------ C:\WINDOWS\system32\sft.res

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 20:24 --------- d-----w C:\Program Files\SpywareGuard
2007-11-21 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-21 20:06 --------- d-----w C:\Program Files\Dell
2007-11-21 20:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 20:05 --------- d-----w C:\Program Files\CyberLink
2007-11-08 15:54 --------- d-----w C:\Documents and Settings\Admin\Application Data\Lavasoft
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-17 19:04 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-10-17 19:03 --------- d-----w C:\Program Files\Sonic
2007-10-17 19:02 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-10-17 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-17 18:06 --------- d-----w C:\Program Files\Google
2007-10-17 17:54 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-17 17:24 --------- d-----w C:\Program Files\Java
2007-10-17 17:23 --------- d-----w C:\Program Files\Common Files\Java
2007-10-16 04:43 --------- d-----w C:\Program Files\Trend Micro
2007-10-15 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-15 23:22 --------- d-----w C:\Program Files\Yahoo!
2007-10-15 23:22 --------- d-----w C:\Program Files\Common Files\Scanner
2007-09-27 11:03 --------- d-----w C:\Documents and Settings\Jen\Application Data\Viewpoint
2007-09-23 18:18 --------- d-----w C:\Documents and Settings\Mom and Dad\Application Data\Walgreens
2007-08-17 00:39 61,648 ----a-w C:\Documents and Settings\Mom and Dad\Application Data\GDIPFONTCACHEV1.DAT
2007-03-16 16:42 53,848 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2006-09-09 00:55 0 ---ha-w C:\Documents and Settings\Jen\hpothb07.dat
2006-08-20 23:26 0 ---ha-w C:\Documents and Settings\Mom and Dad\hpothb07.dat
2006-01-18 01:37 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-12-27 16:21 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2005-12-27 15:03 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-12-27 15:03 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-12-27 15:02 0 ---ha-w C:\Documents and Settings\Guest\hpothb07.dat
2005-12-27 15:02 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2001-11-19 17:14 61,440 ----a-w C:\WINDOWS\inf\i386\gl.dll
2001-10-29 19:30 245,760 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-17 22:43 32,768 ----a-w C:\WINDOWS\inf\i386\Wiamicro.dll
.

((((((((((((((((((((((((((((( snapshot_2007-11-22_13.35.23.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-23 03:07:17 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-23 03:07:17 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-23 03:07:17 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 17:22]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 16:35]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 21:10]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-20 23:48]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 04:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 14:19]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 09:14]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 16:23]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 14:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 16:15]
"PrintServer Diagnostic"="C:\Program Files\Print Server\PTP\PSDiagnostic.exe" [2004-11-24 17:09]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-04-16 07:12]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-02 10:19]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 17:22]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 12:44]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-20 23:41:47]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
C:\WINDOWS\system32\NavLogon.dll 2004-12-30 14:19 55104 C:\WINDOWS\system32\NavLogon.dll

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys

.
Contents of the 'Scheduled Tasks' folder
"2006-06-01 13:10:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY38L133BDK5.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7700#MY38L133BDK5
"2007-11-23 18:09:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2007-11-23 17:32:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 15:13:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 15:14:39
C:\ComboFix2.txt ... 2007-11-22 21:59
C:\ComboFix3.txt ... 2007-11-22 13:37
.
--- E O F ---

**rudyum1** · 2007-11-23, 19:33

Looking at the log it looks like those files are still showing up, I really thought I did it right.

**ken545** · 2007-11-23, 19:42

I think you posted the wrong Combofix log. It creates new ones after each scan.

Completion time: 2007-11-23 15:14:39
C:\ComboFix2.txt ... 2007-11-22 21:59 <--Need this one
C:\ComboFix3.txt ... 2007-11-22 13:37

**rudyum1** · 2007-11-23, 21:48

ComboFix 07-11-19.3 - Admin 2007-11-22 21:55:35.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.209 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-22 13:20 <DIR> d-------- C:\VundoFix Backups
2007-11-21 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 17:07 118 --a------ C:\WINDOWS\system32\MRT.INI
2007-11-21 15:21 80,960 --a------ C:\WINDOWS\system32\mxbhubgd.dll
2007-11-21 14:59 <DIR> d-------- C:\Program Files\CCleaner
2007-11-21 14:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-21 14:27 80,960 --a------ C:\WINDOWS\system32\xpywlfue.dll
2007-11-21 14:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-21 13:21 80,960 --a------ C:\WINDOWS\system32\wxbtuanx.dll
2007-11-09 08:30 583,921 ---hs---- C:\WINDOWS\system32\lwgipqfa.ini
2007-11-09 08:30 88,128 --a------ C:\WINDOWS\system32\afqpigwl.dll
2007-11-09 08:28 77,888 --a------ C:\WINDOWS\system32\kpfxenfo.dll
2007-11-09 08:24 71,232 --a------ C:\WINDOWS\system32\xkiijiyf.exe
2007-11-09 08:22 <DIR> d-------- C:\Program Files\QdrModule
2007-11-09 08:22 441,950 ---hs---- C:\WINDOWS\system32\lnmoq.bak2
2007-11-09 08:22 145,984 --a------ C:\WINDOWS\system32\rxqnbksa.dll
2007-11-08 10:50 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-24 20:57 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-24 20:19 6,465 ---hs---- C:\WINDOWS\system32\lnmoq.bak1
2007-10-24 20:18 437,315 ---hs---- C:\WINDOWS\system32\lnmoq.ini
2007-10-24 20:16 92 --a------ C:\WINDOWS\system32\sznf.ascii
2007-10-24 20:15 14 --a------ C:\WINDOWS\system32\din.ip
2007-10-24 20:15 4 --a------ C:\WINDOWS\system32\navwanvd.ini
2007-10-24 20:15 2 --a------ C:\WINDOWS\system32\lt.res
2007-10-24 20:13 12,217 --a------ C:\WINDOWS\system32\winlogon.scr
2007-10-24 20:13 12,217 ---hs---- C:\Documents and Settings\Mom and Dad\winmain.exe
2007-10-24 20:13 3,739 --a------ C:\WINDOWS\system32\sft.res

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 20:24 --------- d-----w C:\Program Files\SpywareGuard
2007-11-21 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-21 20:06 --------- d-----w C:\Program Files\Dell
2007-11-21 20:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 20:05 --------- d-----w C:\Program Files\CyberLink
2007-11-08 15:54 --------- d-----w C:\Documents and Settings\Admin\Application Data\Lavasoft
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-17 19:04 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-10-17 19:03 --------- d-----w C:\Program Files\Sonic
2007-10-17 19:02 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-10-17 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-17 18:06 --------- d-----w C:\Program Files\Google
2007-10-17 17:54 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-17 17:24 --------- d-----w C:\Program Files\Java
2007-10-17 17:23 --------- d-----w C:\Program Files\Common Files\Java
2007-10-16 04:43 --------- d-----w C:\Program Files\Trend Micro
2007-10-15 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-15 23:22 --------- d-----w C:\Program Files\Yahoo!
2007-10-15 23:22 --------- d-----w C:\Program Files\Common Files\Scanner
2007-09-27 11:03 --------- d-----w C:\Documents and Settings\Jen\Application Data\Viewpoint
2007-09-23 18:18 --------- d-----w C:\Documents and Settings\Mom and Dad\Application Data\Walgreens
2007-08-17 00:39 61,648 ----a-w C:\Documents and Settings\Mom and Dad\Application Data\GDIPFONTCACHEV1.DAT
2007-03-16 16:42 53,848 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2006-09-09 00:55 0 ---ha-w C:\Documents and Settings\Jen\hpothb07.dat
2006-08-20 23:26 0 ---ha-w C:\Documents and Settings\Mom and Dad\hpothb07.dat
2006-01-18 01:37 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-12-27 16:21 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2005-12-27 15:03 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-12-27 15:03 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-12-27 15:02 0 ---ha-w C:\Documents and Settings\Guest\hpothb07.dat
2005-12-27 15:02 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2001-11-19 17:14 61,440 ----a-w C:\WINDOWS\inf\i386\gl.dll
2001-10-29 19:30 245,760 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-17 22:43 32,768 ----a-w C:\WINDOWS\inf\i386\Wiamicro.dll
2005-07-29 20:24 472 --sha-r C:\WINDOWS\QWRtaW4\kqlQuqb.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 17:22]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 16:35]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 21:10]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-20 23:48]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 04:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 14:19]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 09:14]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 16:23]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 14:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 16:15]
"PrintServer Diagnostic"="C:\Program Files\Print Server\PTP\PSDiagnostic.exe" [2004-11-24 17:09]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-04-16 07:12]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-02 10:19]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 17:22]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 12:44]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-20 23:41:47]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
C:\WINDOWS\system32\NavLogon.dll 2004-12-30 14:19 55104 C:\WINDOWS\system32\NavLogon.dll

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys

.
Contents of the 'Scheduled Tasks' folder
"2006-06-01 13:10:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY38L133BDK5.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7700#MY38L133BDK5
"2007-11-22 18:09:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2007-11-23 02:48:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 21:58:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-22 21:59:35
C:\ComboFix2.txt ... 2007-11-22 13:37
.
--- E O F ---

**ken545** · 2007-11-23, 22:22

C:\ComboFix2.txt ... 2007-11-22 21:59 <--Need this one

Thread: Need help with Malware Problem: Virtumonde

Thread Tools

Display

Posting Permissions